App.exe is not a valid Win32 application Malware infection

I've been involved in PCs for some years and handled several virus infections, but this apparent malware attack has me stumped. Basically I can't run or install anything related to virus protection (Zone Alarm Security Suite was the primary protection, but doesn't work now. I have since installed AVG and Avast with no luck, and the Microsoft Malicious Software Removal tool won't even install). All of these applications fail to open with the message "exe name is not a valid Win32 application").

Additionally, I can't connect to the Internet, so I can't run any of the online scanners. Finally, I can't do a system restore either. Ironically, I was just reading up on using Ghost to upgrade my hard drive size. A few more hours and I could have simply restored an image...aargh. I noticed several simplar threads, but not quite the same.

The only thing that I have found that does work at all is Malwarebytes' Anti-Malware. It found 8 infections the first time and was able to clear all but 2. Those remain and are HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drvsyskit (Rootkit.Bagle)
c:\documents and settings\Chris Reed\Application Data\drivers\winupgro.exe (Trojan.Agent)

Based on some research I did earlier, it appears that it might be Worm_Bagle.ko.

I have already gone through Add/Remove Programs to verify I didn't have anything installed on your list. What should I do now? Any help would be greatly appreciated! :cry

 

The FindyKill link in the instructions does not work for me. When I google FindyKill, I find a wide range of options, including some that indicate FindyKill itself is malware. Therefore, I am hesitant to try any of these. Can you please provide a better link?

 

I did some snooping around using the author (Chiquitine29) as a source of validity. From what I can decipher, something happened to FindyKill very recently since Chiquitine 29 just posted on Monday that FindyKill was rolled up into usbfix. At the very end, he gave links to usbfix (which doesn't work) and the new link to FindyKill. He says that usbfix has been updated to include everything from FindyKill and should be used for Bagle infections now, but since I can't download usbfix and I assume that your instructions were specific to FindyKill, I will try that approach first. Please advise if I'm heading down the wrong path

 

Thank you! This was the same link I found and installed and am currently running. However, please note that this is a new version (6.002) and that the screen shots are substantially different in some cases. For example, the 2nd screen shot in the tool (where you choose Option 1 - Search for infected files) now has 6 options instead of 4 and #1 (which I chose) now simply says research. I might get into some questions about Disinfect and Vaccinate type options later. I apologize for not grabbing a screenshot, but the program is running now...

 

Let me add a couple of screen shots to my reply below...maybe it will streamline the process of updating the FindyKill Instructions...or at least point out if I am doing something wrong.

First, when you launch FindyKill, the desktop icon is a little different. I didnt' get an image, but immediately on opening the following window stays open for ~10 seconds.

http://forums.majorgeeks.com/attachment.php?attachmentid=117088&stc=1&d=1246747035

The following language selection window then opens, which is very similar to the existing screenshot.

http://forums.majorgeeks.com/attachment.php?attachmentid=117089&stc=1&d=1246747035

The following selection menu window then opens, which is quite different from the one in the screenshots, both in wording and even number of entries.

http://forums.majorgeeks.com/attachment.php?attachmentid=117091&stc=1&d=1246747035

Upon making any selection, the following message appears. I'm not sure if that was there before or not.

http://forums.majorgeeks.com/attachment.php?attachmentid=117090&stc=1&d=1246747035

I assume the process is to do only options 1 and 2 as indicated in the original screen shots since they appear to do the same things. I don't know what Vaccinate and Listing are, so I won't do them, but at least vaccinate seems like it might be something to do? Please advise me on the best plan.

 

chaslang,
Thanks for sticking with me and happy 4th of July!

Here's the update. I've run all the way through the recommended Bagle removal instructions. I am seeing some positive signs. The Windows Security Center and Windows Update manager both came to life where they haven't before. Additionally, I installed Avast Anti-virus again and again selected the option to do a boot-time scan. This time, it appears to actually be doing one. On the down side, I still can't connect to the Internet and when I tried to connect to Zone alarm, it gave me the "not a valid Win32 application" error. I hope both might be because the zone alarm exe is corrupted beyond help? ...but somehow Windows security center recognizes the virus defitions are out of date. Also, I tried booting in safe mode and I got all the way to the windows login screen (much further then before), but it still shut down. I have attached the FindyKill log files as requested and unplugged the ethernet cable from the computer again just to be safe.

What are my next steps? Is there something I should run besides Avast (which I didn't have on the computer before) to check again if the Bagle infection is gone? Maybe FindyKill again? Should I try to uninstall Zone Alarm? Any suggestions on some combination of freeware protection (antivirus, firewall, etc.)? Anything else I should try? Again, I appreciate your help.

 

Update: Avast found a lot of threats that didn't appear to be related, but I got rid of them anyway. The Internet connection still didn't work and I still couldn't open Zone Alarm to troubleshoot. I tried to uninstall Zone Alarm, but couldn't, so I installed the latest version of Zone Alarm and still couldn't connect (even after uninstalling Avast). I uinstalled this latest version and finally got an internet connection. I installed Comodo and am currently scanning the system.

So, I think I have removed the infection completely, but is there anything else I should do to verify for sure? Run other antivirus, FindyKill, etc?

Also, I have read the How to Protect yourself from Malware sticky and it is very good, but it gives a lot of choices. Do you have any recommendation on the best combination of tools...that play nice together? I found the post Best Free Protection that addresses most of this, but I'm not clear how this ties into the How to Protect Yourself sticky. It seems like Comodo Internet Security takes care of 2) Anti-Virus, 3) Firewalls, and 5) AntiSpyware Tools from the How to Protect Yourself sticky. Therefore, the rest still needs to be handled separately. Also, in the AntiSpyware section, it makes a distinction between the realtime blocking feature of Comodo and the rest. Thus, it sounds like I should install Spybot and SpywareBlaster as well as Comodo? Finally, is there any downsides to Comodo where Avast, etc. should be installed instead (such as too many false positives or doesn't pick up enough threats)?

Thanks for the help to get this far!

 

Well, I don't think you'll be making a statement that my logs are clean quite yet. Basically, everything ran fine until getting to ComboFix (except for finding malware including a Bagle infection) and then ComboFix and Root Repeal didn't run. Next, MGTools ran, but only for a few seconds before abruptly restarting the computer and generating a Microsoft system (error reporting message). I have attached my logs when they existed at all and error screen shots when they didn't.

Also, I accidentally dropped a copy of RootRepeal.exe on the desktop and tried to run it, then realized it should not be in a Doc&Settings folder. I put another copy in C:\, but still no luck. Now I can't delete the one on the desktop either...same error message.

Also, the virus scans have been clean except for restore files, so it appears it's still hiding in the restore area at least... That said, my computer is working fine on the surface. I'm only finding things when I search for them in this way. I'm not saying I want to stop...just information.

I'm pretty sure I haven't skipped any steps.

Thank you again for sticking with me and getting me this far!

 

I went ahead and ran FindyKill again and it found some of the same infections as before, but less of them and in different places. I have attached the logs from this. I ran FindyKill after this again and pretty much everything was still there. I'm at a loss as to what to try next?

 

I've rerun the same 1) Bagle removal process (FindyKill) 2) Malware removal process several times now with the exact same result (already shown below). The only thing that has changed at all is I was able to delete RootRepeal on the desktop (after it showed up with an icon on it for the first time). But my computer is behaving normally other than the worm is appearing in scans (along with most of the tools I am using). I'm also not sure what steps to turn off the virus/spyware protection? To my untrained analysis, it appears the worm has been boxed in to an area where it's not affecting me....probably in system restore based on where it is found. The only logical step I can think of now is to try even more anti-malware software in hopes one fixes it or turn off the system restore and run through the process again. I'm unsure what to do next?

 

For the 1st time, MGTools took more than a fraction of a second to run, (~5 min) so it appears to actually do something. Unfortunately, several zip errors appeared and now there are no log zip files (even the ones from earlier unsuccessful runs. Should I clear everything out and try again or run some of the bat files as hinted at in the guide. If so, which ones? Also, I have never successfully gotten ComboFix or RootRepeal to run. Is there any particular order I should do things in now? Go back to Combo Fix and follow the Malware removal instructions again, but with all firewall and anti-virus protection off?

 

Also, Combo fix still did not run with the same error as before (shown in the screen shot attachments). Root repeal now does not give the same error as before. Instead it pops up an "Initializing, please wait..." screen for now going on about 8 minutes, which I assume means it's not going to run...

 

I deleted the corrupt zip files and reran several of hte .bat files until the zip files showed up again, so I don't know if this is everything, but here is the attachment. ComboFix and RootRepeal still don't run (as described below).

 

Chaslang,
I did everything you asked below (except still working on getting rid of/moving some of the desktop items). However, combofix did not uninstall when running that command. Instead, it created the C:\32788R22FWJFW folder again. Keep in mind that it never ran correctly, so I guess this isn't surprising. Anything I need to do? Just delete the exe? Also, RootRepeal is still sitting in C:\. Should I delete it as well?

Yes, I did add this into my hosts file myself a while back, so it is not an issue.

Thanks again for sticking with me to get me through this! As soon as I am done completely, an image will be burned.